Professional Web Applications Themes

Major ASP.Net Security Issue? - ASP.NET Security

I have found what I believe to be a serious security issue in ASP.Net. If you have: 1. Your website configured for anonymous access 2. Elect under web.config to set the sessionstate attribute of cookieless to true Anyone from any IP address or across another browser can copy the URL and work within the session. My question is "Why doesn't ASP.Net provide an option around ensuring all requests for a user session originate from the same IP address and/or same useragent?" I know that some people sit behind firewalls, proxies and layer 4 devices that could load balance and affect ...

  1. #1

    Default Major ASP.Net Security Issue?

    I have found what I believe to be a serious security
    issue in ASP.Net. If you have:

    1. Your website configured for anonymous access
    2. Elect under web.config to set the sessionstate
    attribute of cookieless to true

    Anyone from any IP address or across another browser can
    copy the URL and work within the session. My question
    is "Why doesn't ASP.Net provide an option around ensuring
    all requests for a user session originate from the same
    IP address and/or same useragent?" I know that some
    people sit behind firewalls, proxies and layer 4 devices
    that could load balance and affect HTTP traffic, but it
    honestly escapes me why I can access my web application
    on any machine inside or outside of my network with just
    the sessionid in the URL from even different browsers.
    There must be a way to control this in the
    configuration. Am I alone in find this troubling?
    Keith Guest

  2. #2

    Default Re: Major ASP.Net Security Issue?

    It seems to me that this would be listed as a predictable downside to using
    cookieless sessions. Verifying IPs and/or user agents wouldn't be any real
    way to avoid this, so it makes sense to me that this wouldn't be the default
    behavior for asp.net to check that. And if it were to check it, where would
    it store this info? In session variables? Hmmph.

    --

    Ray at home
    Microsoft ASP MVP

    "Keith" <keithkeithadler.com> wrote in message
    news:77b601c3e87d$1c5144f0$a101280aphx.gbl...
    > I have found what I believe to be a serious security
    > issue in ASP.Net. If you have:
    >
    > 1. Your website configured for anonymous access
    > 2. Elect under web.config to set the sessionstate
    > attribute of cookieless to true
    >
    > Anyone from any IP address or across another browser can
    > copy the URL and work within the session. My question
    > is "Why doesn't ASP.Net provide an option around ensuring
    > all requests for a user session originate from the same
    > IP address and/or same useragent?" I know that some
    > people sit behind firewalls, proxies and layer 4 devices
    > that could load balance and affect HTTP traffic, but it
    > honestly escapes me why I can access my web application
    > on any machine inside or outside of my network with just
    > the sessionid in the URL from even different browsers.
    > There must be a way to control this in the
    > configuration. Am I alone in find this troubling?

    Ray at Guest

  3. #3

    Default Re: Major ASP.Net Security Issue?

    We have used cookieless sessions and what you say is true, but we used SSL
    to encrypt traffic, which as you know requires a connection to the same
    client/server (ie. if connection broken, then the SSL session is invalid) so
    this IP verification approach could still work but it assumes SSL, which of
    course is really outside of ASP.NET's domain.

    Further to this you could use client certs to verify integrity which
    strictly doesn't stop people from hjacking a session (simply minimises it),
    but there are just som many ways to approach this, each with positives and
    negatives, that if the ASP.NET team adopted one approach, it would be
    implicitly be advocating this one approach which may very well be flawed
    under a number of different situations.

    My 2 cents.

    --
    - Paul Glavich


    "Keith" <keithkeithadler.com> wrote in message
    news:77b601c3e87d$1c5144f0$a101280aphx.gbl...
    > I have found what I believe to be a serious security
    > issue in ASP.Net. If you have:
    >
    > 1. Your website configured for anonymous access
    > 2. Elect under web.config to set the sessionstate
    > attribute of cookieless to true
    >
    > Anyone from any IP address or across another browser can
    > copy the URL and work within the session. My question
    > is "Why doesn't ASP.Net provide an option around ensuring
    > all requests for a user session originate from the same
    > IP address and/or same useragent?" I know that some
    > people sit behind firewalls, proxies and layer 4 devices
    > that could load balance and affect HTTP traffic, but it
    > honestly escapes me why I can access my web application
    > on any machine inside or outside of my network with just
    > the sessionid in the URL from even different browsers.
    > There must be a way to control this in the
    > configuration. Am I alone in find this troubling?

    Paul Glavich Guest

Similar Threads

  1. Odd security issue
    By Vanadael in forum Macromedia Contribute Connection Administrtion
    Replies: 0
    Last Post: April 30th, 05:51 PM
  2. Replies: 6
    Last Post: September 9th, 12:24 PM
  3. Major Issue - Printing
    By Jim Legan in forum Windows Server
    Replies: 1
    Last Post: June 23rd, 02:25 AM
  4. Replies: 0
    Last Post: October 28th, 04:16 PM
  5. New security issue
    By Dale McMurtrey in forum Windows Setup, Administration & Security
    Replies: 1
    Last Post: July 22nd, 03:45 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139